A Microsoft Network Access Protection (NAP) Primer

Executive Summary:Organizations can leverage NAP to improve the overall security health of their Windows clients by enforcing standardized protection, sanitization, and remediation based on organizationally defined health policies.

Network Access Control (NAC) is a relatively new network security technology intended to protect organizational networks, their resources, and their users from malicious systems, devices, agents, or users. In its most basic form, NAC lets network administrators restrict network access to authorized users and devices. But NAC can also protect networks from malicious software, viruses, and malware by evaluating the security health of computers and devices that attempt to connect to a network.

In Windows Server 2008, Windows Vista, and Windows XP SP3, Microsoft introduces a NAC solution called Network Access Protection (NAP). Let’s look at what NAP can do for your organization, discuss the main components of the NAP architecture, and see how they work together.

What NAP Can Do NAP is a client-health-policy creation, enforcement, and remediation technology. NAP enforces health policies by inspecting and assessing the health of client computers that attempt to connect to a network. NAP restricts access when the computers are non-compliant with the policy. It redirects non-compliant clients to a quarantined network segment, which provides services that can be leveraged by the clients to update themselves and become compliant. NAP also provides post-connect compliance by ensuring health compliance while a client is connected to the network.

NAP lets organizations streamline the configuration and software status of all computers connected to the network. These machines include desktop computers on the internal network, as well as roaming laptops, unmanaged home computers (that employees use to connect to the corporate network via VPN connections), and the computers of visiting consultants or other temporary personnel.

When a NAP-enabled machine tries to connect to the network, NAP forces it to prove how healthy it is. Once it’s proven healthy, it’s allowed on the regular network. If it isn’t compliant with the NAP health policy, it’s granted access to a limited network, where it must update through NAP remediation servers.

NAP health policies can impose client-software and security-patch requirements, as well as required configuration settings. Out-of-the-box NAP can automatically check Windows clients for important configuration items such as the enabled/disabled status of Windows Firewall, the status of antivirus software (are Windows clients running it, and do they have up-to-date antivirus definitions installed?), and the installation status of security patches (is Automatic Updates enabled, and are the latest security patches installed?).

If you have Windows client and server OS licenses, NAP is a complementary service (in regards to software): you don’t need additional licenses to deploy NAP. The NAP server components are built into Server 2008, and the client components are bundled with Vista and XP SP3.

NAP is an extensible platform: It includes APIs that third-party developers can leverage to extend NAP and include their specific health or security checks into the NAP architecture.

Microsoft has put a lot of effort into making NAP an interoperable NAC platform. The company is working with many partners and major IT industry players to provide customers with different types of software extensions for the NAP platform. These extensions can provide services such as integration with other networking devices, additional health or security checks, and additional reporting capabilities.

Two other examples that illustrate Microsoft’s interoperability efforts are the NAP support for Cisco’s Host Credential Authorization Protocol (HCAP) and the fact that the NAP Statement of Health (SoH) protocol has been accepted as a Trusted Computing Group (TCG)/Trusted Network Connect (TNC) standard. Cisco is another major player in the NAC space and has developed a NAC solution for Cisco networking devices—Cisco NAC (CNAC). TNC is the NAC subproject of the TCG, an industry consortium—endorsed by many IT industry players—that works on standardizing the trusted computing space.

NAP Components The NAP architecture consists of four key server components—the Network Policy Server (NPS), the NAP Administration Server (NAS), enforcement servers, and remediation servers—and a set of client components, as you see in Figure 1. The figure also shows where the NAP components are typically located on the network. In this example, the NAP client is on a public network (e.g., the Internet). Keep in mind that NAP can enforce health policies on all computers that attempt to connect to the network, no matter where the computers are located.

NPS. The heart of the NAP architecture is the NPS, which performs a client-health evaluation and determines what level of access (full or restricted) a NAP client gets. In access control language, the NPS can be defined as the NAP Policy Decision Point (PDP).

Under the hood, the NPS is Microsoft’s implementation of a Remote Authentication and Dial-in User Server (RADIUS). In Server 2008, the NPS replaces the Internet Authentication Service (IAS) that shipped in previous Windows Server versions. The NPS is a role service that can be added to a Server 2008 platform as part of the Network Policy and Access Services (NPAS) server role.

NAS. The NAS is the NAP Policy Administration Point (PAP). Administrators use the NAS to define the NAP health policies that must be enforced on their network. In Server 2008, the NAP NPS and NAS are collocated. The NAS administration interface is automatically installed when the NPS role service is installed. Figure 2 shows the NAS administration interface, called the Network Policy Server MMC snap-in.

Enforcement servers. NAP supports various types of enforcement servers—these are the NAP Policy Enforcement Points (PEPs). An enforcement server effectively restricts a client’s network access based on the policy-decision information it receives from the NPS. The enforcement server also forwards a client’s health information for evaluation to an NPS. NAP supports the following enforcement methods and associated enforcement servers: DHCP, VPN, IPsec, 802.1x, and Terminal Server (TS) Gateway. In the next section, I’ll expand on the pros and cons of these NAP enforcement methods, and what servers and services you need for each of them.

Remediation servers. Remediation servers are the fourth NAP server component: They update Windows clients and bring them to compliance when their health doesn’t meet the NAP health policy. Remediation servers can be Windows Update servers or other servers that hold and distribute security patches, antivirus signatures, or service packs.

To leverage NAP, Server 2008, Vista XP, and SP3 clients take advantage of a special service: the NAP agent. The NAP agent is installed by default on all the above platforms. Administrators can configure NAP agent settings centrally by using the GPO settings located in the Computer Configuration\Windows Settings\Security Settings\Network Access Protection GPO container. The NAP agent also comes with a client-side configuration interface—the Microsoft Management Console (MMC) NAP Client Configuration snap-in (napclcfg.msc), as you see Figure 3—and can be configured from the command line through the use of Netsh commands.

The NAP agent is made up of two other services: the enforcement client and the System Health Agent (SHA).The SHA is the NAP client-side component that provides client health state inspection and reporting; it also reconfigures the computer to become compliant with the health policy. The enforcement client applies the network-access decisions on the client as they’ve been communicated and imposed by the NAP enforcement servers.

SHAs and their server-side counterparts—the System Health Validators (SHVs)—nicely illustrate how NAP is an extensible platform. An SHV is the server-side component that lets administrators define specific health policies. Third-party developers can develop their own SHAs and SHVs to include their customized health checks in the NAP logic.

Server 2008 includes one built-in SHV: the Windows Security Health Validator (WSHV). Administrators can use the WSHV to configure health policies that check whether Windows Firewall and Automatic Updates are turned on, whether virus and spyware protection are enabled and have the latest signature files installed, and whether the client has the latest security updates installed. Figure 4 shows the configuration interface for the WSHV, which you can access from the NPS snap-in.

A good example of additional SHAs and SHVs are the ones provided in the Microsoft Forefront Client Security (FCS) Integration Kit for NAP. Many more third-party NAP extensions are listed on the NAP partner website.

DHCP. When NAP uses DHCP enforcement, DHCP servers and a NAP NPS server can enforce NAP health policies when a Windows client attempts to lease or renew an IPv4 address. In this case, the client’s network access is controlled through the host’s IP address configuration and routing tables. DHCP enforcement works only with a Server 2008 DHCP server. It’s relatively easy to set up, but it can also be easily circumvented when users reconfigure their client computers to use a static IP address instead of DHCP. For DHCP enforcement, the DHCP Quarantine enforcement client must be enabled on the NAP client. You can enable or disable an enforcement client on the NAP client from the client interface in Figure 4, and you can also using GPO settings or Netsh commands.

IPsec. IPsec enforcement is the strongest (and thus preferred) NAP enforcement method. It relies on the IP security protocol (IPsec) and certificate-based client authentication. On the server side, IPsec enforcement requires a Windows Public Key Infrastructure (PKI) and a special NAP service called the Health Registration Authority (HRA). The HRA communicates with a Certification Authority (CA) and forwards X.509 certificates to NAP clients if they’re compliant with the health policy. The NAP client’s IPsec logic then uses the certificates to authenticate when it starts IPsec connections with other NAP clients. IPsec enforcement is the most flexible enforcement method because it lets administrators restrict communications on per-IP-address or per-TCP/UDP-port-number basis. It can also enforce end-to-end encryption for the IPsec connections. For IPsec enforcement, the IPsec Relying Party enforcement client must be enabled on the NAP client.

VPN. NAP VPN enforcement means that VPN servers and a NAP NPS server will enforce health policies when a client attempts to connect to the network through a VPN connection. VPN enforcement is an interesting NAP enforcement option for remote clients. On the server side, it requires the Routing and Remote Access Services (RRAS) VPN server included with Server 2008. VPN enforcement is the only enforcement method that requires two enforcement clients to be enabled on the client side: the Remote Access Quarantine enforcement client and the EAP Quarantine enforcement client.

Don’t confuse NAP VPN enforcement with the Network Access Quarantine Control (NAQC), an access-control restriction tool for VPN connections bundled with Windows 2003 and Internet Security and Acceleration (ISA) Server 2004 and 2006. As opposed to NAP, NAQC can be used only to restrict VPN connections, doesn’t provide remediation services, and isn’t enforced by a built-in client agent but by customizable script-driven client checks.

802.1X. When NAP uses 802.1X enforcement, the NPS server instructs an 802.1X switch or wireless access point (AP) to put devices non-compliant on a remediation network. In this scenario, a non-compliant machine’s network access is restricted by applying IP filters or a specific VLAN identifier to the machine’s network connection. For 802.1X enforcement, the EAP Quarantine enforcement client must be enabled on the NAP client.

Terminal Server Gateway. Terminal Server Gateway enforcement leverages the new Server 2008 TS Gateway service to restrict access for remote terminal services or remote desktop clients when they access internal resources using Remote Desktop Protocol (RDP) over HTTPs. The TS Gateway and NAP NPS enforce a health inspection of the remote client before it’s allowed access. For TS Gateway enforcement, the TS Gateway Quarantine enforcement client must be enabled on the NAP client. Unlike the other enforcement clients, the TS Gateway Quarantine enforcement client is available only on Vista clients.

One Component Organizations can leverage NAP to improve the overall security health of their Windows clients by enforcing standardized protection, sanitization, and remediation based on organizationally defined health policies. The NAP functionality might seem overwhelming, but remember that NAP is only one component of a defense-in-depth strategy. NAP complements other security technologies such as Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), and anti-malware and virus-protection software.